Abstract

DDoS attacks expose two seemingly contradictory expectations of the Internet: end hosts should be able to access services in an open and flexible manner, yet a service should be able to prevent a group of end hosts from rendering it unavailable to others. While the majority of prior work has focused on distinguishing malicious traffic from valid traffic, we argue that networks also need to provide an essential property to prevent attacks: "accountability". We define a network to be accountable when the sources of all traffic within it can be accurately and reliably identified, and receivers have the ability to effectively block traffic to them from any such source. We propose a simple approach to directly providing accountability within a group of ASes. It combines a regime of strict ingress filtering on all edge traffic, to ensure that its source information is accurate, with an AS-based infrastructure that allows hosts to request that traffic to them from specific other hosts be blocked at the source. We sketch the necessary mechanisms for implementing this approach, including a detailed design for a filter request service. As with most new techniques designed for the Internet, we do not expect complete adoption by all networks or ASes overnight. Our design accounts for this difficulty by using the previously proposed "evil bit" in IP headers, in a way that allows a group of ASes that implement accountability to collectively reduce the impact of DDoS attacks for end hosts and services within their portion of the Internet, even in the presence of unaccountable ASes. We also present evidence of the economic and technical feasibility of our approach.